The Google for Education Community Platform

kcalderw · ‎02-01-2024

I need to make some changes to our gmail to prevent spoofing. However, in my testing when I did this our own accounts that are used for voicemail to email relay and our scan to email addresses were blocked. We're having issues atm with people who have a district email and parent emails (BOE/teachers who are also parents) getting flagged and going to spam for possible spoofing.

v=DMARC1; p=none; fo=1;

If I set the p record to quarantine or reject, our relays stop functioning.

brodgers · ‎02-01-2024

Most likely the issue with people who have a district email and parent email is caused by a Gmail spam setting, not DMARC. In the control panel, look under Apps -> Google Workspace -> Settings for Gmail -> Safety for the setting "Protect against spoofing of employee names". If it is turned on, this is most likely your culprit.

Kim_Nilsson · ‎02-01-2024

That is the reason, but it's also doing it's job. 🙂

--
https://wheretofind.me/@NoSubstitute

kcalderw · ‎02-01-2024

True... so just tell teachers to check their spam more often? Is that it?

ddelboccio · ‎02-01-2024

Are your relays settings correct under "settings for Gmail>Routing"?

I know I had to play around with the "allowed senders" and "authentication" settings.

Specifically for my voicemail to email setup, allowed senders is set to "any address (not recommended)" but I have the "Only accept mail from the specified IP addresses" option selected and the external IP address of my system defined.

kcalderw · ‎02-02-2024

I made the change yesterday but now it seems our scan to email is going to spam. How did you prevent that?

ddelboccio · ‎02-02-2024

Settings for Gmail<Spam, Phishing & Malware> Spam> I added a rule of spam exceptions and included my domain as an exception, and made sure the "Bypass spam filters for messages from senders or domains in selected lists" setting is checked.

Kim_Nilsson · ‎02-02-2024

You should not have to exclude your own domain.

--
https://wheretofind.me/@NoSubstitute

kcalderw · ‎02-02-2024

So the way Papercut works is that it has a few options. The way in our system it's currently set is that it emails a scan from the user's email to their email. I might change it to a separate email so it doesn't look like spoofing.

Kim_Nilsson · ‎02-02-2024

Yes, always avoid obvious spoofing.

--
https://wheretofind.me/@NoSubstitute

Ron · ‎02-02-2024

Do you have your Google Workspace SMTP relay service configured as specified by PaperCut, to allow the PaperCut Application server to send through the relay service? The Deprecated warning box at the top of that help center page is interesting... "This method of setting up an SMTP server using mail forwarding may still work for Google, but is no longer recommended." 🤔
We regularly use the SMTP relay service for a couple email sources (not PaperCut), with no problems.

Kim_Nilsson · ‎02-01-2024

I've had DMARC reject for years. So happy. 🙂

We only use relay for two printers at the library. Nothing else is allowed to send as our Workspace.

Also, the account is a proper authenticated send, with a real user account.

Require SMTP Authentication is enabled, but TLS encryption isn't.

--
https://wheretofind.me/@NoSubstitute

Kim_Nilsson · ‎02-01-2024

I am in the process of activating 2FA for that account, and instead use an Application Password, as the current method will soon no longer be allowed. Shutting down in the fall/autumn.

--
https://wheretofind.me/@NoSubstitute

Ron · ‎02-01-2024

@kcalderw wrote:
...our own accounts that are used for voicemail to email relay and our scan to email addresses...

Is this email being sent as authenticated users/accounts in your Google Workspace (i.e. the sent email appears in Gmail Sent for the users/accounts), or sent directly by/from systems (not relayed through Google mail)? If sent "off-Google", do you have SPF and/or DKIM set up for these systems?

@kcalderw wrote:
v=DMARC1; p=none; fo=1;

Are you sure? If I found the correct domain, you have:

v=DMARC1; p=quarantine; fo=1; rua=mailto:twp@twpschools.org

...at least for the parent domain. Maybe you're working with a subdomain...

It looks like you have DMARC aggregate reports (rua in DMARC record) sent to an email in your domain. I'm curious how you process/parse the reports for viewing? If you're using a certain tool/service and don't mind sharing, I'm interested. You might already be aware, but you can have multiple destinations for aggregate and forensic (ruf) reports. For example:

rua=mailto:rpts@agproc1.com,mailto:rpts@agproc2.com

In case you find it helpful, I like Postmark's free DMARC monitoring. I receive weekly DMARC digest emails from them, for various domains we have. It tells me the number of emails processed, the percentage of emails SPF or DKIM aligned (or both) and the percentage of emails SPF and DKIM not aligned (neither/nor). I'm not affiliated with Postmark in any way. Just like their service.

kcalderw · ‎02-02-2024

Ron, I made the dmarc change after I originally posted. Thank you, I did sign up for Postmark.

The two services in question are using genuine Workspace accounts to email through the relay.

Ron · ‎02-02-2024

Also, in case it's helpful, I have used these to test DMARC/DKIM/SPF config and changes:

https://www.appmaildev.com
https://mxtoolbox.com/deliverability

Kim_Nilsson · ‎02-01-2024

I too use the free Postmarkapp.

Just recently I also added Mailhardener.com for more detailed reporting. Also only the free version.

--
https://wheretofind.me/@NoSubstitute

Dean_Mantz · ‎02-04-2024

Am I correct in understanding you are running both Postmark and Mailhardner in your DMARC rule? If so, did you add Mailhardner to your Postmark account or into the actual DMARC rule itself?

Kim_Nilsson · ‎02-05-2024

In the actual DMARC rule, as a RUA recipient of the logs.

--
https://wheretofind.me/@NoSubstitute

Dean_Mantz · ‎02-05-2024

Thank you for the clarification. I have now figured it out and have both listed in the DMARC rule.

panderson · ‎02-02-2024

I like the idea of using the Postmarkapp but am not quite sure how to set it up.

so currently my dmarc record looks like this: v=DMARC1; p=none; rua=mailto:demarc-rep@mydoamin; ruf=mailto:demarc-forensic@mydomain; fo=1

the "postmarkapp" site says to add this to my txt record: v=DMARC1; p=none; pct=100; rua=mailto:re+ya4nccyiypy@dmarc.postmarkapp.com; sp=none; aspf=r;

If I wanted to have the reports go to my current email address and postmarkapps, what should my new txt record look like? Do I need to add the "pct=100" and "aspf=r"? From what I found "aspf" defaults to r (relaxed)

Would this work?: v=DMARC1; p=none; pct=100; rua=mailto:demarc-rep@mydoamin,mailto:re+ya4nccyiypy@dmarc.postmarkapp.com; ruf=mailto:demarc-forensic@mydomain; fo=1

Or what would the recommended record look like?

Ron · ‎02-02-2024

Looks good to me, and passes this tool's DMARC record/policy syntax validation.

Kim_Nilsson · ‎02-02-2024

Check the TXT record for _dmarc.edu.lomma.se as it is as strict as possible, and has several rua recipients.

On DMARC recommendations, I don't use ruf, as it is said to log an unnecessary amount of details.

--
https://wheretofind.me/@NoSubstitute

The Google for Education Community Platform

Gmail DMARC questions